Racing with time to get the latest payload of Blackhole Exploit Kit

06 Sep 2012
Getting the latest blackhole exploit kit's drops url means racing with devil itself. They changed within hours for the dropped payload and also its drop parameter. The landing page/infector itself is not that frequently changed but we cannot expect one active IP of it to stay with the one scheme of infector which will last for days now.

I share this as a "malware crusading" true story session of chasing the last dropped binary of blackhole itself.I am trying to write into as details as possible for every peson who read to understand how the blackhole is, what they can do to us, and how important to block their infectors in PDF, HTML, Java(Jar) and PE binaries, so please bare with the boring parts. WARNING: All of the url written in this blog are dangerous and infectious, so please do not try to simulate this operation if you are not a malware expert, since I am not be responsible for any damage caused by your misoperation.Here we go..

I am in the middle of monitoring the recent blackhole's drops.Currently is observing the very fast movement of blackhole with the last IP is 85.17.58.123 After some filtering to all spam databases I can grab daily, found spam with the below two links:

h00p://85.17.58.123/data/ap1.php?f=97d19h00p://85.17.58.123/main.php?page=9dd146e88937797b(both were detected in few hours less than 24hrs)

As you can see, is a PDF file called baa7a.pdf.You can see the text part of this pdf itself here-->>[CLICK]It contained malicious code which I neutralized them.So, what is this PDF file?This is CVE-2009-0927 exploit PDF Shellcode to download and executing payload provided by exploit kits, in our case, blackhole.Let's understand the meaning of CVE-2009-0927:Reference:-->http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927

Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object

The evil script is being composed by the script in "/S/JavaScript/JS" part byusing the grabbled obfuscated data in after "10 0 obj" PDF tag.

If you deobfuscated it wight then you will get this evil code -->>[CLICK]

What this code do is you'll fet the value of the Collab.getIcon() below:

I wrote in details about this plugin in previous post here-->>[CLICK]So I am not going to explain all functions of it again here, but let me explain this code's objectivity to our current hunt below:It detects your browser version, drops malicious browser executable object (Leh.jar) with the infamous latest java zeroday flaw CVE-2012-4681.The sample is in the virus total with the below details:

which means we got ANOTHER kernel32.dll loading urlmon.dll to downloadfrom h00p://85.17.58.123/w.php?f=97d19&e=1 & saved it into thelegendary path C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll andexecuting, register it as service (I called it daemonized..) in to your PC.

So, We have the OTHER parameter:h00p://85.17.58.123/w.php?f=97d19&e=1Which actually a NEW parameter replacing the previous:h00p://85.17.58.123/w.php?f=97d19&e=3

It is actually the Trojan Spy and downloader of FakeAV.Below is the details of infection:

If you runs it, It will run as malicious process:your PC will search for the domains below:and sending your PC information encrupted to the mothershipeith the POST/HTTP command to xxx-xxx.pro/fgrgrg14er8g.php

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.$...................................S...............................A...........Rich....................PE..L....T.H................J...p...............P...

↑for your information, is a malware binary setup.exe,it will be saved in your %Temp% directory and copied under random name,then in will be executed like this:

Which is the FakeAV of Live Security Platinum, with the LIVE pic here:You can search about this FakeAV in Google here-->>[CLICK]

PS, the domain info dropped this Fake AV,both WWW-WWW.PRO and XXX-XXX.PRO have same owner.

1. Never ever thinking of giving up against these crooks. We are much smarter than these guys, this added with better morality & integrity.2. Focus into your objectivity, and stay focus on it. 3. Pray, I am telling you we need it to stay lucky ;-)